Nine Steps to Defeating the Heartbleed Bug

 
 
By Karen A. Frenkel  |  Posted 04-14-2014 Email Print this article Print
 
 
 
 
 
 
 
 

The Heartbleed bug is a newly discovered flaw in the OpenSSL cryptographic library, CVE-2014-0160, which affects encrypted communications between web applications, e-mail exchanges, instant messaging clients and some SSL-based virtual private network connections. Via Heartbleed, attackers can access the contents of a web server's memory and other vulnerable services and compromise SSL private keys, configuration file contents, usernames and passwords, session tokens and cookie values, and DTLS that can lead to traffic amplification and DDoSes. OpenSSL has issued a security advisory indicating that only OpenSSL 1.0.1 and 1.0.2-beta releases are affected, including 1.0.1f and 1.0.1-beta1. (OpenSSL thanked Google Security's Neel Mehta for discovering the long-existing bug and Adam Langley and Bodo Moeller for the fix.) Several information security services firms, including Codenomicon and Accuvant Labs, have issued recommendations on how to mitigate the vulnerability. To read the Accuvant report, click here. For the Codenomicon report, click here.

 
 
 
  • Upgrade OpenSSL to 1.0.1g

    Users unable to immediately upgrade OpenSSL to 1.0.1g can instead recompile OpenSSL with -DOPENSSL_NO_ HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
    Upgrade OpenSSL to 1.0.1g
  • Don't Do It Yourself

    Codenomicon warns users that "even though the actual code fix may appear trivial," use the OpenSSL patch.
    Don't Do It Yourself
  • Vulnerable Operating Systems

    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4; Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11; CentOS 6.5, OpenSSL 1.0.1e-15; Fedora 18, OpenSSL 1.0.1e-4; OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012); FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013; NetBSD 5.0.2 (OpenSSL 1.0.1e); OpenSUSE 12.2 (OpenSSL 1.0.1c)
    Vulnerable Operating Systems
  • How to Determine Vulnerabilities

    Accuvant Labs says the following tools can help determine exposure: Use SSL Command-Line and run "openssl version -a" to discover your version information; Qualys SSL Labs provides a free, web-based testing mechanism of any SSL web server on the public Internet.; A standalone Python tool identifies whether a system is vulnerable.
    How to Determine Vulnerabilities
  • Perfect Forward Security Can Help

    The server option Perfect Forward Security, which is rare but powerful, should protect past communications from retrospective decryption, according to Codenomicon.
    Perfect Forward Security Can Help
  • Contact Your Vendors

    Many third-party products and appliances have implemented OpenSSL, requiring updates. As a result, many workarounds may not be possible without vendor support, says Accuvant, so follow up with your third-party vendors.
    Contact Your Vendors
  • Strategic Recommendations

    Accuvant recommends: Regenerating the SSL private key, starting with externally facing systems; Rotating and revoking SSL certificates on externally facing systems; Restarting all web servers to terminate any live session IDs that may have been disclosed during an attack.
    Strategic Recommendations
  • Time for New Passwords

    Change passwords for all accounts, including: Single sign-on platforms that may have interacted with the host; Appliance web interface logins that may use OpenSSL and Apache; Active directory accounts that may have been used for back-end authentication.
    Time for New Passwords
  • Update Browser Configurations

    Updating browser configurations will reject revoked certificates. Not all browsers automatically check for revoked certificates, including some versions of Chrome and Internet Explorer, according to Accuvant.
    Update Browser Configurations
 
 
 
 
 
Karen A. Frenkel writes about technology and science, innovation, and entrepreneurs and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...